My understanding of current password crackers is that there are many enhanced techniques they'll use, including the data from breaches, but also upper case cycling, and common letter substitutions with special characters (e.g. ! for l) and so on. If they can, they will also index your hard drive for all the words on there to use as seeds, so what you thought was private knowledge no longer is. Which is why my personal preference is for a few long diceware passwords, plus a password manager. What the article doesn't emphasize though, is the dismal website support for TFA, and adoption of reasonable TFA like U2F is glacial. Or the providers will attempt to foist nasty biometric nonsense, or mobile-phone stuff on an unsuspecting public.
A password manager is the only real solution and it is convenient (a good one anyway). I have long, strong passwords and I don't have to type or remember anything. (some web sites' max char limit is laughable and the ones that can't handle symbols really leave me to question just how vulnerable that site is) For high-profile accounts (Microsoft, LastPass, Google, popular games), 2FA (Google Authenticator, Microsoft's authenticator) is effective and not cumbersome.
Indeed, like Microsoft (xbox, 10) or Paypal, 16 char limit and paypal does not even allow paste, so creating a strong password really gets on nerves.
My Bank doesn't allow copy & past but i can do Ctrl + v. The longer the password AT&T used to ask for a 4 number pin now I read they want a 6 to 8 number pin. I use a password manager and a long password.to lock the password manager
The issue with copy and paste is the clipboard log on some systems. For instance some Windows computers with Microsoft Word installed can be configured to keep the copy/paste history. This can be hugely convenient, but isn't great for passwords since the log is in plain text.
I like the convenience (I use Ditto and Pushbullet) and with 20-60-character passwords, I'm surely using the clipboard!
I've always made a point to make my important PW's (encryption keys especially, etc...) as long as possible. Meaning 63 (ASCII)/WPA2 key, or 32. But employ both methods. I try to make them memorable my creating phrases with intentional typos the way the words sound, with strong vowels capitalized and punctuation. And numbers that mean something to me only. 20 digits long is very strong too, and I use it often. I try not to go under that believe it or not... I know it sounds like overkill. 8 should be the bare minimum, with combination of upper/lower case, numbers, and special characters. As long as there's no properly spelled word in there it should take forever to crack. 32 digits ASCII and we're talking it standing the life age of the Earth. I once had a router that didn't accept special characters for the key... what a joke. Didn't hang onto that one for long. I wonder how much of a difference it would be between having a 63 digit ASCII key or 64 digit HEX?... anyone know for sure here? I would think that 1 extra character would make a substantial difference in strength. Each multiple of 12 I've heard makes a good bit of difference compared to 1 digit less. 12 vs. 11 for example, or 32 vs. 31. I wonder then why they wouldn't allow you to just create 64 digit ASCII keys? Because then even 3 letter agencies would have a rough time breaking them?...
